Linux Privilege Escalation

Linux Privilege Escalation - Docker Group

Рет қаралды 11,170

Conda

Күн бұрын

Пікірлер: 39

@arianetrek7049 22 күн бұрын

I've scratched my head a whole week on this. Makes total sense, will try that tonight. Thank you!

@InfiniteLogins 3 жыл бұрын

Back at it again with another BANGER

@c0nd4 3 жыл бұрын

I appreciate the support as always 😁

@lahwfsk167 3 жыл бұрын

short and clear, right to the point big thanks

@hatit8074 3 жыл бұрын

A Big Big Big thank you for making this content bro. I loved it. I am exactly in the stage to get better with the content u posted. 😍

@c0nd4 3 жыл бұрын

No problem! I really appreciate the support

@koushiksuthar95 3 жыл бұрын

Very helpful 👍👍 Great Conda

@c0nd4 3 жыл бұрын

Glad it was helpful! Thanks!

@hatit8074 3 жыл бұрын

Awesome cool trick bro. Thank you. Am ur fan now onwards 😍

@krenilraj4180 Жыл бұрын

You made it easy for me thanks bro

@AM-ud1bq 3 жыл бұрын

Holy cr*p. Amazing. GTFOBins at its best! I love your videos!! Thank you!

@c0nd4 3 жыл бұрын

Thank you! Glad you found the video helpful

@qj1eo 2 жыл бұрын

i love you man , y r BEST TEACHER

@TheBroadwood 3 жыл бұрын

Great Video! But how/why does the change of the shadow-file in the container filesystem affect the filesystem of the host?

@c0nd4 3 жыл бұрын

Thanks! This is because it was volume mounted. Files and directories that are volume mounted are shared memory between the host and container. Therefore, a change to a file that is volume mounted will effect both the container and host. Hope this helps to clarify!

@InfiniteLogins 3 жыл бұрын

Question - If we had a shell as root within the docker container, and then we update the /etc/shadow file so that the root user of the host system no longer has a password, how do we escape out of the docker container to escalate to root? Typing exit in our shell would just kill our session and wouldn't take us to the filesystem as 'lowpriv' in this circumstance.

@c0nd4 3 жыл бұрын

Ctrl + p then Ctrl + q should bring you from interactive mode to daemon mode in the container. I think this is what you would want.

@HowToEverything1 3 жыл бұрын

Ayo this was amazing!!

@c0nd4 3 жыл бұрын

Glad it was helpful! Appreciate the support a ton

@madhavnakar9396 3 жыл бұрын

Learned something new from the video, thank you. Do you know of any HTB box where I can use this priv esc method for practice?

@c0nd4 3 жыл бұрын

Glad you liked the video! Check out HTB Cached for some practice with this method. Good luck!

@vistachris2965 3 жыл бұрын

Another awesome precise lesson. Could I make a request? You have so much screen realestate in your videos, could you ctrl + the terminal for us watching on mobile? It's difficult to see. Thanks!!!

@c0nd4 3 жыл бұрын

Great suggestion! I'll keep that in mind for future videos. Thanks!

@davidnagar3501 Жыл бұрын

learned some great stuff, Thanx !!!!!

@jesusxXxlizzard 3 жыл бұрын

Very nice man 👍

@c0nd4 3 жыл бұрын

Thank you!

@0xrohit54 3 жыл бұрын

Very helpful sir... 🙏🙏🙏

@crash9706 3 жыл бұрын

So to mitigate this you should also put limited permission on what the lowpriv can do inside the docker container or am I wrong. Please let me know how to mitigate against this. Great video as usual

@c0nd4 3 жыл бұрын

I don't believe docker has the ability to do this. I believe the best way to mitigate this is to limit the users you allow into the docker group.

@intellectualgravy9796 3 жыл бұрын

What if we don't have any images to make containers from on the victim and there is no internet access on the victim. Is there something allows import of docker images like there is a known method for lxc containers.

@c0nd4 3 жыл бұрын

Great question. You can load docker containers from a tar file. So you could transfer the tar file over, then load that. This may help you. stackoverflow.com/questions/40582300/how-to-load-a-docker-image-from-a-tar-file

@intellectualgravy9796 3 жыл бұрын

@@c0nd4 Thanks for such a fast response. That saved me some time.

@c0nd4 3 жыл бұрын

No problem 😁

@smugunthan0459 3 жыл бұрын

Hi great video!! Can you make a video on docker container escape/ docker breakout.

@noorlutfe3227 11 ай бұрын

@c0nd4 Isn't this weird that we can mount something that we don't have access to! I mean we don't have access to root for example but we can mount it, how does it allow us to mount "/" even we don't have access to everything inside it, that's where the misconfiguration lies!

@sabyasachisahoo8975 3 жыл бұрын

make video upon abuse lxd...i did it in past,but right now when i do that things that script give me error.......for example:===>>>Their is a machine in Tryhackme (Gaming server)

@c0nd4 3 жыл бұрын

Sure, I'll definitely look into making a video on that. Thanks for the suggestion! I actually performed this method on my HTB Tabby livestream. Check that out if you'd like to see how I did it!